search

nozaq / terraform-aws-secure-baseline

Terraform module to set up your AWS account with the secure baseline configuration based on CIS Amazon Web Services Foundations and AWS Foundational Security Best Practices.
MIT License
1.14k stars 371 forks source link

Issue creating CloudTrail #306

Closed andy-townsend closed 1 year ago

andy-townsend commented 1 year ago

Describe the bug

Trying to deploy the module following the organization example but running into an issue with CloudTrail. I've delegated cloudtrail to my LogArchive account and trying to set that as account_type = "master"

When deployed, it creates everything but fails to start the Cloudtrail logging. 

Error: Error starting logging on CloudTrail (cloudtrail-multi-region): TrailNotFoundException: Unknown trail: arn:aws:cloudtrail:us-east-1:920543562103:trail/cloudtrail-multi-region for the user: <log_archive_account_id>

The trail seems to exist but it shows under the mgmt account id rather than the delegated adminstrators account. 

$ aws cloudtrail list-trails
{
    "Trails": [
        {
            "TrailARN": "arn:aws:cloudtrail:us-east-1:<mgmt_account_id>:trail/cloudtrail-multi-region",
            "Name": "cloudtrail-multi-region",
            "HomeRegion": "us-east-1"
        }
    ]
}```

When I re-run Terraform, it states that it already exists;

│ Error: Error creating CloudTrail: TrailAlreadyExistsException: Trail cloudtrail-multi-region already exists for customer: (Service: AWSCloudTrail; Status Code: 400; Error Code: TrailAlreadyExistsException; Request ID: a895136c-3390-4a0e-b270-2aee05c0f931; Proxy: null)



So I'm a bit confused as to how it should be deployed in an organisation. It seems as though CloudTrail has to be created only in the Management account and not a delegated adminstrator account? How are people then deploying the bucket for cloudtrail? Is that in there Logging or Management account?

## Versions

- Terraform: 1.1.7
- Provider: 4.37.0
- Module: v2.0.0

## Expected behavior

Cloudtrail is created in the delegated administrator account along with the audit bucket.

## Actual behavior

Cloudtrail is created in management account
nozaq commented 1 year ago

@andy-townsend Currently master account type is supposed to be uased only for the management account in your organization.

If you'd like to store log data outside of your management account, you can configure CloudTrail to export all events to your desired bucket by passing var.audit_log_bucket_name. In this case, you create the organization trail in your management account while keeping the log data in the log archive account. This is similar to the setup when you use AWS Control Tower.

Please let me know if you have any particular reason to setup CloudTrail outside of your management account, thanks!

andy-townsend commented 1 year ago

Closing as info provided. Cheers